Abstract

Multikey fully homomorphic encryption proposed by Lopez-Alt et al. (STOC12) is a significant primitive that allows one to perform computation on the ciphertexts encrypted by multiple different keys independently. Then, several schemes were constructed based on decisional small polynomial ratio or learning with errors. These schemes all require an expansion algorithm to transform a ciphertext under a single key into an encryption of the same message under a set of keys. To achieve the expansion algorithm without interaction with these key-keepers, their encryption algorithm not only outputs a ciphertext of a plaintext but also exports auxiliary information generated from the randomness used in the former encryption process. Beyond that, the size of the ciphertext encrypted by multiple keys increases linearly or quadratically in the number of participants. In this paper, we studied the problem whether someone can directly perform arbitrary computation on ciphertexts encrypted by different keys without any auxiliary information in the output of the encryption algorithm and an increase in the size of the ciphertext in the expansion algorithm. To this end, we proposed a novel and simple scheme of secure computation on ciphertexts under two different keys directly without any auxiliary information. In other words, each party just provides its own ciphertexts encrypted by the GSW scheme (CRYPTO13). In the procedure of executing evaluation on these ciphertexts, the size of the new ciphertext remains the same as that of the GSW ciphertext.

1. Introduction

The concept of multikey fully homomorphic encryption was proposed by Lopez-Alt et al. [1], which allows someone to perform arbitrary computations on the ciphertexts encrypted by multiple different secret keys. Specifically, each party independently encrypts input , to obtain a ciphertext , and one can homomorphically evaluate an arbitrary function on these encrypted data without interaction between them. After this, there has been a lot of research [2–12] for its assumptions, functionalities, and performance.

The main application of multikey FHE is that a plurality of parties is informed to engage in a computing task after they have submitted their data. This is a significant difference from the applications of the traditional (single-key) encryption schemes. For example, two hospitals want to cooperate and study the influence factors of some disease. However, the data of these patients has been encrypted and stored in their own servers ahead of this cooperation. How could an evaluation algorithm be performed directly on these ciphertexts without decrypting them? In [1], Lopez-Alt et al. focused on a problem whereby a (untrusted) cloud server wants to perform some computations over data from multiple clients without interacting with them after each client transmits their own (encrypted) input to the cloud and other clients. In the scheme proposed by Lopez-Alt et al. [1], although a ciphertext only contains an encryption of a plaintext, the size of a ciphertext under multiple secret keys becomes much larger than that of the original ciphertext and its security is based on the nonstandard assumption. The ciphertext’s length is related to the number of participants where the former increases at least linearly in the later. In the scheme of Clear and McGoldrick [3], an encryption of a message contains a universal mask generated by another public-key encryption scheme. Also, the ratio of the size of the ciphertext under multiple keys and that under single key grow quadratically with an increase in the number of the associated participants. Afterwards, Mukherjee and Wichs [2] proposed an optimized scheme with a simple generation of the universal mask. However, there is still auxiliary information in the encryption algorithm and the ratio remains quadratic. Following the previous works, there are two independent researches about multikey fully homomorphic encryption introduced by Brakerski and Perlman [5] and Peikert and Shiehian [4], respectively. In the former scheme, although the authors replaced the algorithm of the universal mask with the bootstrapping algorithm, the ciphertext’s growth rate was still linear and their evaluation keys were generated by the previous multikey fully homomorphic encryption schemes. There are two versions in the paper in [4]. In the first scheme, the encryption of a message contains a commitment of the message and an encryption of the randomness used in the former commitment algorithm. The ratio becomes linear. In the second one, the encryption algorithm only outputs a ciphertext of a message, but the ratio becomes quadratic and the evaluation keys are generated by the first scheme. In [13], the growth rate is quadratic, and the output of the encryption algorithm also contains auxiliary information except a ciphertext of a plaintext. Recently, Chen et al. [6] proposed a multikey FHE scheme based on the ring-LWE (Learning with Errors) assumption, in which their ciphertext-extension algorithm only generates the evaluated keys for the scheme with multiple keys but the size of the ciphertext under multiple keys also relies on the number of associated parties.

The first multikey fully homomorphic encryption was proposed by Lopez-Alt et al., but their solution is based on nonstandard assumptions. Subsequent solutions, despite being based on standard cryptographic assumptions (LWE), have two common shortcomings. The first shortcoming is that they require the encryption of not only the plaintext but also random numbers that have been used; namely, , and . Each ciphertext must be attached with additional information . The second one is that the length of the ciphertext increases linearly or quadratically with the number of participants. In this paper, our main research problem is how to directly perform secure computation on ciphertext data directly provided by each user without any additional information . These ciphertext data are encrypted with different secret keys. Our main focus here is the case of encryption with two different keys. We begin by taking the GSW13 encryption scheme [14] into consideration as we notice that the main process of its decryption algorithm is the inner product of two vectors; that is, , where d is a large constant. As such, if we want to calculate the product of ciphertexts and encrypted with different secret keys, we only need to calculate . This is because . The final result is desirable, with being one of its factors. However, there is another problem: the constant factor becomes , and small noises and are also multiplied by a large number. Therefore, we must find a way to decrease the constant factor to , while keeping the noises within an acceptable range. Because the noise in the ciphertext grows with an increase in the number of addition and multiplication operations, when it increased to some value defined by the public parameters, it may cause incorrect decryption of the output ciphertext. Therefore, we should reduce the noise growth in evaluation.

Our approach is to decrypt in two steps without directly multiplying it by two secret keys. Instead, a single secret key is first used to decrypt it, that is, (denoted as ), before is calculated and rounded to obtain . Finally, another secret key is used to decrypt tc for the final plaintext . During the process, noises have been kept at a low level without being multiplied by a large constant factor. To sum up, the above description explains how to perform the multiplication operation on ciphertexts encrypted with two different keys. The addition operation can be transformed to the multiplication operation; that is, , where and are encrypted from plaintext 1 with different secret keys. Till this step, we completed the addition and multiplication operations on ciphertexts encrypted with two different secret keys. However, this scheme has a shortcoming: the multiplication operation can only be performed once as the result of the multiplication operation on the ciphertexts encrypted with two different secret keys cannot be multiplied by other ciphertexts. In order to enable the support of polynomial calculation, we can write any polynomial with inputs as follows: , where the inputs of are , and the inputs of are . In this way, we can first use the single-key fully homomorphic encryption scheme to calculate and to obtain intermediate results and then calculate the final results with our proposed method. Therefore, our secure computation only involves the GSW13 encryption scheme without the requirement for additional information U. Moreover, unlike previous schemes where a ciphertext’s size grows linearly or quadratically as the number of secret keys increases, the ciphertext in our scheme always maintains its original size.

Our Contributions. We proposed a protocol that allows one to perform any polynomial functions on the GSW ciphertexts under two different keys directly. Unlike the previous works, each party just provides the GSW ciphertexts without anything auxiliary of the private inputs and the size of the new ciphertext remains invariant when executing evaluations on these ciphertexts. In our Addition and Multiplication algorithms on ciphertexts under two different keys, the noise increases linearly. Compared to the scheme in [1], our scheme is based on the standard assumption. Our scheme reduces the size of the ciphertext under a single key from in [2, 3] to , where is the lattice dimension and is a modulus. Compared to the scheme in [5], our scheme does not require the expensive technique of bootstrapping to transform a ciphertext under a single key to a ciphertext under a set of keys. In the first scheme of [4], the size of the ciphertext under a single key is . The second scheme of [4] requires its first scheme to generate a public key with larger size. Different from the scheme in [6], the size of the public key in our scheme is the same as that of the GSW13 scheme, whereas it is times the size of the GSW13 scheme.

2. Related Work

In the scheme proposed by Lopez-Alt et al. [1], although a ciphertext only contains an encryption of a plaintext, the size of a ciphertext under multiple secret keys becomes much larger than that of an original ciphertext and their security is based on the nonstandard assumption. The ciphertext’s length is related with the number of participants where the former increases at least linearly in the latter. In the scheme of Clear and McGoldrick [3], an encryption of a message contains a universal mask generated by another public-key encryption scheme. Also, the ratio of the size of the ciphertext under multiple keys and that under single key grow quadratically with an increase in the number of the associated participants. Afterwards, Mukherjee and Wichs [2] proposed an optimized scheme with a simple generation of the universal mask. However, there is still auxiliary information in the encryption algorithm and the ratio remains quadratic. Following the previous works, there are two independent researches about multikey fully homomorphic encryption introduced by Brakerski and Perlman [5] and Peikert and Shiehian [4], respectively. In the former scheme, although the authors replaced the algorithm of the universal mask with the bootstrapping algorithm, the ciphertext’s growth rate was still linear and their evaluation keys were generated by the previous multikey fully homomorphic encryption schemes. There are two versions in the paper in [4]. In the first scheme, the encryption of a message contains a commitment of the message and an encryption of the randomness used in the former commitment algorithm. The ratio becomes linear. In the second one, the encryption algorithm only outputs a ciphertext of a message, but the ratio becomes quadratic and the evaluation keys are generated by the first scheme. In [13], the growth rate is quadratic and the output of the encryption algorithm also contains auxiliary information except a ciphertext of a plaintext. Recently, Chen et al. [6] proposed a multikey FHE scheme based on the ring-LWE assumption, in which their ciphertext-extension algorithm only generates the evaluated keys for the scheme with multiple keys but the size of the ciphertext under multiple keys also has a relationship with the number of associated parties.

3. Preliminary

3.1. Learning with Errors, SIVP, and GapSVP

Regev firstly introduced the Learning with Errors (LWE) problem in 2005 and showed that the hardness of LWE can be reduced quantum to the lattice hard problems. Then, Peikert introduced an efficient classical reduction between LWE and the lattice intractable problems. The details are given below.

Definition 1. (Learning with Errors). Let be the security parameter, let be an integer dimension of a lattice, let be an integer, and let be an error distribution over .(i)(Searchable LWE) Sample uniformly and then draw uniformly, . Set . The searchable LWE is to find , given samples , called .(ii)(Decision LWE) The decision LWE, denoted as , is to distinguish two distributions: The first one is a uniform distribution over . The second is that one first samples and then draws by sampling uniformly, , and setting .The Learning with Errors (LWE) assumption is that is intractable.

Definition 2. . Let be an dimension lattice. The problem is to output linearly independent vectors such that , where .

Definition 3. . Let be an dimension lattice and let be a real number. is to distinguish whether or , where is the length of the shortest vector in .

Definition 4. (B-bounded distributions). A distribution ensemble over the integers is called B-bounded distribution if

Theorem 1. Let be either a prime power or a product of small (size poly(n)) distinct primes, , and is an efficient sampleable B-bounded distribution. If there exists an efficient algorithm solving the problem, then There is an efficient quantum algorithm for on any n-dimension lattice There is an efficient classical algorithm that solves on any n-dimension latticeIn both cases, if one also considers solving with subpolynomial advantage, then request and .

3.2. Fully Homomorphic Encryption

A fully homomorphic encryption is a tuple of algorithms (Gen, Enc, Dec, Eval) described as follows: : on the security parameter , output a public key , a secret key , and a public evaluation key . : encrypt a message from the plaintext space and output a ciphertext . : decrypt a valid ciphertext and output a corresponding message ; otherwise, output a special symbol . : input the public evaluation key , a function , and a sequence of ciphertexts which are responding to the sequence of plaintexts ; output a valid ciphertext responding to the message .

We say that a scheme is fully homomorphic if it satisfies the following properties: : denote a class of all arithmetic circuits over as . If for arbitrary circuit , the following inequation holds: : if there exists a polynomial , it holds that the output length of Eval is at most bits without relation to the function or the numbers of inputs.

3.3. Multikey Fully Homomorphic Encryption

Definition 5. (multikey FHE). A multikey FHE is a tuple of algorithms (Setup, Keygen, Encrypt, Expand, Eval, Decrypt) described as follows: Setup: on the security parameter and the circuit depth , the setup algorithm outputs the system parameters . We assume that all the other algorithms take as an input implicitly. Keygen: generate secret key and public key . Encrypt: take public key and a message as an input and output for a ciphertext . Expand: on a sequence of public keys and a fresh ciphertext under the th key , it outputs an expanded ciphertext . Eval: given a Boolean circuit of depth along with expanded ciphertexts , output an evaluated ciphertext . Decrypt: take some ciphertext and a sequence of secret keys as an input and output a message .The following properties hold: Semantic Security of Encryption. For any polynomial and any two messages , the distribution (, Encrypt()) is computationally indistinguishable from the distribution (, Encrypt), where Setup, Keygen. Correctness and Compactness. Let Setup. Consider any sequence of correctly generated key pairs and tuple of messages . For any sequence of indices where each , let be encryptions of the messages under the th public key and let be the corresponding expanded ciphertexts. Let be any Boolean circuit of depth and let be the evaluated ciphertext. Then the following holds: Correctness of Expansion. , Decrypt. Correctness of Evaluation. Decrypt. Compactness. There exists a polynomial such as . In other words, the size of should be independent of and but can depend on .

4. A Scheme of Evaluation on Two-Key Ciphertexts for Any Polynomial

In this section, we formally describe our fully homomorphic encryption scheme. At the beginning, we introduce three operations used in the encryption algorithm for slow noise growth. Consider three vectors , , and .

, where is the j-th element of the binary representation of .

, where .

.

We can see that expands each element of a vector to its binary representation, can be seen as the inverse operation of , and it makes each element of a vector to a number in . These three operations on a matrix are that they are performed on each column vector of the matrix. That is, . and on a matrix are similar to that.

Our scheme consists of the following probabilistic polynomial time algorithms (Setup, Gen, Enc, Dec, Add, Mult, Add2, Mult2, and Dec2). Setup: let be the security parameter and let be the max circuit depth. Choose appropriate LWE parameters: modulus , lattice dimension , and error distribution . Choose parameter . Set . Let and . Gen: choose randomly . Choose a random matrix and a vector . Set . Output the secret key and the public key . Let (note that .) Enc: choose randomly a matrix . Then encrypt the message as follows:

Output the ciphertext . Dec: let . Output  = └┐. Add: to add two ciphertexts , output . Mult: to multiply two ciphertexts , output . Mult2: these two keys are independently generated from the algorithm Gen () on the common parameters. If is not encrypted under or is not under , then output . Otherwise, output . Add2: if is not encrypted under or is not under , then output . Otherwise, set and as encryptions of message 1 under and , respectively, and output . Dec2: if is an evaluated ciphertext from two ciphertexts under the public keys and , respectively, then the first secret key holder computes and sends it to the holder. Similarly, the holder computes and sends it to the first holder. Then, the holder outputs and the holder outputs .

The evaluation algorithm Eval() that performs a depth-L circuit computations on polynomial GSW ciphertexts can be composed of Add and Multi operations.

5. Evaluation on Two-Key FHE Ciphertexts

5.1. Multiplication

Assume that is a GSW ciphertext of the message under the public key and is that of under . and are secret keys corresponding to and , respectively. Set Powerof2, . This function Powerof2() transforms a vector into a new vector , where is the length of the binary representation of the modulus .

, where .

: Compute (└┐)^T + , denoted as , where is the th row of a ciphertext of a message 0 under the secret key such that └()┐. Output └┐.

Theorem 2. Suppose that are ciphertexts under the secret keys , respectively. If is obtained from or , the probability of the decryption algorithm on inputs running correctly is negligible. That is, there exists a negligible function on the security parameter , satisfying the following inequation:

Proof. Obviously, . We also know that the first elements of are . Thus, we can decrypt the ciphertext as  = └┐. Set and . So, . Running the first part of the decryption algorithm, we can obtain that tc = (└┐)^T +  = (└┐)^T + = (└┐)^T +  = . After the second part, we can get └┐ = └┐ =  That is to say, one-time multiplication on two ciphertexts under different secret keys only increases doubly the size of noise because the noise in the intermediate ciphertext can be viewed as that in an addition to two GSW ciphertexts under the same secret key. Therefore, the ciphertexts obtained from this multiplication algorithm can be decrypted correctly.
We can easily find that one-time multiplication causes a double increase of noise. Thus, scaling up the parameters or appending something auxiliary is undesired. We can directly perform one-time multiplication on two ciphertexts encrypted by two different keys without adjusting anything of the original GSW scheme.

5.2. Addition

We can achieve the Addition operation by using the operation Multiplication. That is, , where is a ciphertext of message 1 under the secret key , .

According to Theorem 2, after one-time operation Multiplication on two ciphertexts under different secret keys, the noise increases doubly. Thus, one-time operation Addition causes the noise to increase quadruply, which is faster than that of Multiplication. It is not hard to find that the ciphertext is unnecessary to preserve the privacy of the plaintext, an exact number 1. Therefore, when constructing , we can set the randomness to zero. That is to say, is a special “ciphertext” of the plaintext 1 without noise. This change makes both the operations Addition and Multiplication have the same growth of the noise.

Note that the Add2 operation not only supports the input of two ciphertexts under different secret keys but also processes the input of one ciphertext obtained from the Add2 or Mult2 procedure and one ciphertext under a single key as well as the input of two former-type ciphertexts. The following are the details of the operation.

Assume that is output by the Add2 or Mult2 procedure and is a ciphertext under the secret key , where . Then , where is a ciphertext of message 1 under the secret key .

Assume that are both output by the Add2 or Mult2 procedure. Then, . It also can extend to the case of the input of polynomial ciphertexts from the Add2 or Mult2 procedure.